ID. Date of interview 
date 40/92/20 


ID. Time interview started 
start 10:53:35 


ID.end Completion date of interview 
Date = 40/02/20 


ID.end Time interview ended 
10:58:14 


ID. Duration of interview 
time 4.65 


new case 


ICO consultation on the draft right of access 
guidance 


Q1 


Does the draft guidance cover the relevant issues about the right of access? 
© Yes 
©) No 

©) Unsure / don't know 

If no or unsure/don’t know, what other issues would you like to be covered in it? 


Q2 


Does the draft guidance contain the right level of detail? 


© Yes 
©) No 

©) Unsure / don't know 

If no or unsure/don't know, in what areas should there be more detail within the draft 
guidance? 


Q3 


Does the draft guidance contain enough examples? 
O) Yes 

©) No 

© Unsure / don't know 


If no or unsure/don’t know, please provide any examples that think should be included in 
the draft guidance. 


For the most part, examples are clear in the circumstances. In relation to exemptions, further clarity 
could be more helpful for example, in the exemption “the individual is targeting a particular employee 
against whom they have a personal grudge” — would this include an employee’s manager or colleague? 
Furthermore, more clarity on the scope /example of management forecasting information in companies 
would be helpful. The example is clear, but there are other management forecasts where there is less 
clarity of the scope and applicability — e.g headcount forecasting of the number of employees and their 
effectiveness in role due to restrictions and the business ability to support the increased numbers of 
employees with such restrictions and availability of suitable roles 


Q4 


We have found that data protection professionals often struggle with applying and 
defining ‘manifestly 

unfounded or excessive’ subject access requests. We would like to include a wide 

range of examples 

from a variety of sectors to help you. Please provide some examples of manifestly 
unfounded and excessive 

requests below (if applicable). 


DSAR requests from employees broadly fall into 3 categories: 1 they just want a 
copy for personal record, 2 they need information to pursue a legal claim not 
associated with the company (eg car accident) or 3 they are in conflict with the 
company - grievance/disciplinary/ dismissal. In cases where a data subject submits 
a DSAR for option 3, they often are dissatisfied with the data supplied to them in 
good faith. There is a lack of clarity of understanding of DPA and the “right of 
access” to their own personal data only. This can often lead to a situation where the 
data subject continues to submit more and more requests, to find information that 
they might not even be entitled to under DPA / where there is a justification 
/exemption for withholding the personal data - eg it could impact the person who 
wrote the date such as in a grievance. Where possible we try to respond to all DSAR 
in good faith, but the balance of privacy for all data subjects can be difficult to 
satisfy a specific individual when they are in such difficult and stressful situations. 


Q5 Ona scale of 1-5 how useful is the draft guidance? 


1-Notatall 2-Slightly Moderately 4 — Very 


5 — Extremely 
useful useful useful 


useful useful 


O Q © 


Q6 Why have you given this score? 


The guidance is detailed and tries to address varied scenarios, and application and 
expectation of DPA expectations and the ICO. Itis written clearly and working in a 


transnational EU team, the ICO guidance is often referred to as way to communicate 
the company standards / guidelines as good practise. 


Q7 To what extent do you agree that the draft guidance is clear and easy to understand? 


Strongly Neither agree 


Strongly 
disagree Disagree nor disagree 


Agree agree 


é © 


Please provide any further comments or suggestions you may have about the draft 
guidance. 


The calendar month of 28 days is clear although this reduces the time further to 
response to DSAR as stipulated in the DPA /GDPR. Most organisations make genuine 
effort to respond to DSAR as soon as possible, however, relying sometimes on other 
functions to supply the data, and then to scrutinise it in the 28-calendar timeframe 
will be challenging. On implementation of GDPR I worked to 30 days (on the basis 
of 365/12) which, given weekends and bank holidays allows additional time and 
enables compliance to the calendar month requirement stipulated in the DPA/GDPR 
without the need to notify data subjects of a potential extension and possibly 


frustrate them. (Note: this is only for complicated DSAR and average response time 
in 2019 was 20 days) 


Are you answering as: 

C) An individual acting in a private capacity (eg someone providing their views as a member of the public) 
© An individual acting in a professional capacity 

©) On behalf of an organisation 

() Other 

Please specify the name of your organisation: 

Airbus 

What sector are you from: 

Aerospace 


Q10 How did you find out about this survey? 
©) ICO Twitter account 
(_) ICO Facebook account 
(_) ICO LinkedIn account 
C) ICO website 


( `) ICO newsletter 


C) ICO staff member 


( ) Colleague 


(_) Personal/work Twitter account 
(`) Personal/work Facebook account 
© Personal/work LinkedIn account 
C) Other 

If other please specify: 


